Escolar Documentos
Profissional Documentos
Cultura Documentos
Trusted Network
“Remote access” VPN model: host to gateway
Dynamic Routing Inside IPsec VPNs- 4
Black Hat Briefings – Paul Knight
Two IPSec Modes:
Transport and Tunnel Mode
Transport Mode
IP Header Data
Optional Encryption
Optional Encryption
Outer IP Header
Inner IP Header
Dynamic Routing Inside IPsec VPNs- 5
Black Hat Briefings – Paul Knight
Application of the IPsec modes
Host Host
Internet
Untrusted Network
Trusted Network
– Parameters
• Authentication algorithm and keys
• Encryption algorithm and keys
• Lifetime
• Security Protocol Mode (tunnel or
transport)
SAD • Anti-replay service
• Link with an associated policy in the SPD
IP IP
IPSec Header
Header
Destination
IP address
Security Protocol
SPI
SAD SPD
IP IP
IPSec Header
Header
Policy
Selectors
SAD SPD
• Usual conversation:
– What’s the problem? You can already carry routing
protocols over IPsec.
– Yes, but you can’t actually use them to ROUTE.
– Huh?
– The IPsec Security Associations have selectors that
determine the traffic they allow. They are like static
routes.
– Oh… Yeah… I see the problem.
Untrusted
Site Y
Site A Network
CPE
CPE
Site Z
CPE
• Typical dynamic routing issues
– “Z” adds a new network
– New site added (Hub/spoke model)
– A link (IPsec connection) breaks; re-route through another site
Dynamic Routing Inside IPsec VPNs- 18
Black Hat Briefings – Paul Knight
SP, SA Databases determine “routing”
into tunnels – cannot adapt dynamically
IPsec Gateway (CPE) at Site A
Site X
Untrusted
Network
SA pairs – 1 per address range
Site Y
Outbound
traffic
Site Z
SPD
SAD
Route exchange possible, but useless… (SPD, SAD control “routing”)
Dynamic Routing Inside IPsec VPNs- 19
Black Hat Briefings – Paul Knight
The basic solution
• Remove the tunnel’s “static routes” …. HOW?
• (1) Use “wild card” in tunnel SAs (allow all traffic) OR
• (2) Use encapsulation to make the traffic fit the “static route”, by
setting destination address in the encapsulated traffic
– IP-in-IP over Transport (IIPtran)
– Generic Routing Encapsulation (GRE) in tunnel or
transport
• Both approaches are essentially similar in key ways, but (2) is more
secure
– IPsec can still apply source/destination selectors
– Less chance for errors due to different systems’
dynamic routing abilities
• Either way, you must do “routing” (SA selection or encapsulation
addressing) outside IPsec, and push traffic into a “VPN Tunnel”
(may be Transport Mode)
Site X
CPE
SPD Untrusted
SAD
Network
Routing
Site Y
CPE
Outbound SPD
SAD
traffic
Routing Site Z
Exchange
Via OSPF, SPD
CPE
RIP, etc. SAD
Optional Encryption
IP Header Data
Internet
Host Firewall
Split Tunneling:
IPsec Gateway
Internet
Untrusted Network
Internet
Host Firewall
Dynamic Routing Inside IPsec VPNs- 28
Black Hat Briefings – Paul Knight
Why allow split tunneling?
Firewall Firewall
• Misconfiguration
• Default Route issues
• Internal Routing Attack
• Routing authentication
• Options for OSPF
– Keyed MD5 verifies identity
– Digital signature allows tracing of bad route
information
• Audit routers for bogus routes
• Restrict use of routing protocols on hosts
– Use default route instead
– Implement redundancy on routers (VRRP) or
switches in LAN, not in host routing
Site X
Firewall
functions
CPE
SPD Untrusted
SAD
Network
Routing
Site Y
CPE
Outbound SPD
SAD
traffic
Routing Site Z
Exchange
Via OSPF, SPD
CPE
RIP, etc. SAD
Thank You!